RE: problem fakeauth_auth

[Joao Alves Neto <alves_joao@xxxxxxxxxxx>]

Hi Amos
 
 
I'll post this issue to squid-dev, but fyi, here is the change I made(FOR TESTE ONLY).
 

-----------------
*** /root/src/squid-3.0.STABLE14-20090424/helpers/ntlm_auth/fakeauth/fakeauth_auth.c    2009-04-24 06:21:00.000000000 -0300
--- /root/squid-3.0.STABLE14-20090424/helpers/ntlm_auth/fakeauth/fakeauth_auth.c        2009-04-24 11:19:28.000000000 -0300
***************
*** 158,163 ****
--- 158,164 ----
        NEGOTIATE_REQUEST_TARGET |
        (NEGOTIATE_UNICODE & flags ? NEGOTIATE_UNICODE : NEGOTIATE_ASCII)
        );
+     chal->flags = flags;
      chal->hdr.type = htole32(NTLM_CHALLENGE);
      chal->unknown[6] = htole16(0x003a);
--------------------
 
Regards
 
Joao

> Date: Mon, 27 Apr 2009 14:41:39 +1200
> From: squid3@xxxxxxxxxxxxx
> To: alves_joao@xxxxxxxxxxx
> CC: squid-users@xxxxxxxxxxxxxxx
> Subject: Re:  problem fakeauth_auth
> 
>>
>> Hi there
>>
>> We are facing a problem with squid/fakeauth_auth helper, after change in
>> NTLM parameters of our stations(Require Message Integrity, Message
>> Confidentiality, NTLMv2 Session Security, 128-bit Encryption).
>>
>> I made some tests and realized that NTLMSSP Flags returned in
>> NTLMSSP_CHALLENGE to station is wrong:
>>
>>
>> 1 - Success Authentication (ntlm_auth)
>>
>>     1 - HTTP/1.0 407 Proxy Authentication Required  (text/html)
>>
>>
>>     2 - GET http:/// HTTP/1.1 , NTLMSSP_NEGOTIATE
>>      -Proxy-Authorization: NTLM
>> Taldjfpoa\sdfalsdmflasdflafajsdfjajasldjJAJA\r\n   - EXAMPLE
>>           - NTLMSSP
>>             NTLMSSP identifier: NTLMSSP
>>             NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
>>           -Flags: 0xa208b207 - estation send this flag
>>
>>
>>     3 - HTTP/1.0 407 Proxy Authentication Required , NTLMSSP_CHALLENGE
>> (text/html)
>>      Proxy-Authenticate: NTLM
>> TaljdflasjdfljasdlfjoqAJDFJQOWEURPOQWEURPQWEJKROQWEUFÇLAJSLFJASDLFJKQWEO........................
>>      NTLMSSP
>>         NTLMSSP identifier: NTLMSSP
>>         NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002)
>>         .....
>>         Flags: 0xa2898205 - estation receive these flag from squid.
>>
>>     4 - HTTP/1.1 , NTLMSSP_AUTH, User: Domain\User
>>
>>
>>
>> 2 - Unssucess Authentication (fakeauth_auth)
>>
>>     1 - HTTP/1.0 407 Proxy Authentication Required  (text/html)
>>
>>
>>     2 - GET http:/// HTTP/1.1 , NTLMSSP_NEGOTIATE
>>      -Proxy-Authorization: NTLM
>> Taldjfpoa\sdfalsdmflasdflafajsdfjajasldjJAJA\r\n   - EXAMPLE
>>           - NTLMSSP
>>             NTLMSSP identifier: NTLMSSP
>>             NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
>>           -Flags: 0xa208b207 - estation send this flag
>>
>>
>>     3 - HTTP/1.0 407 Proxy Authentication Required , NTLMSSP_CHALLENGE
>> (text/html)
>>      Proxy-Authenticate: NTLM
>> TaljdflasjdfljasdlfjoqAJDFJQOWEURPOQWEURPQWEJKROQWEUFÇLAJSLFJASDLFJKQWEO........................
>>      NTLMSSP
>>         NTLMSSP identifier: NTLMSSP
>>         NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002)
>>         .....
>>         Flags: 0x00018205 - estation receive this flag from
>> squid/fakeauth_auth.
>>
>>
>>     4 - Authetication Failed
>>
>>
>>
>>
>> As a test, I forced NTLMSSP_CHALLENGE FLAGS to be equal
>> NTLMSSP_NEGOTIATE(0xa208b207) then it worked fine.
>>
>> fakeauth_auth.c
>>
>> void ntlmMakeChallenge(struct ntlm_challenge *chal, int32_t flags)
>> {
>>     static unsigned hash;
>>     int r;
>>     char *d;
>>     int i;
>>
>>     debug("ntlmMakeChallenge: flg %08x\n", flags);
>>
>>     memset(chal, 0, sizeof(*chal));
>>     memcpy(chal->hdr.signature, "NTLMSSP", 8);
>>     chal->flags = htole32(CHALLENGE_TARGET_IS_DOMAIN |
>>     NEGOTIATE_ALWAYS_SIGN |
>>     NEGOTIATE_USE_NTLM |
>>     NEGOTIATE_REQUEST_TARGET |
>>     (NEGOTIATE_UNICODE & flags ? NEGOTIATE_UNICODE : NEGOTIATE_ASCII)
>>     );
>>     // Testing purpose
>>     chal->flags = flags;
>>
>>     chal->hdr.type = htole32(NTLM_CHALLENGE);
>>     chal->unknown[6] = htole16(0x003a);
>>
>>     d = (char *) chal + 48;
>>     i = 0;
>>
>>     if (authenticate_ntlm_domain != NULL)
>>     while (authenticate_ntlm_domain[i++]);
>>
>>
>>     chal->target.offset = htole32(48);
>>     chal->target.maxlen = htole16(i);
>>     chal->target.len = chal->target.maxlen;
>>
>>     r = (int) rand();
>>     r = (hash ^ r) + r;
>>
>>     for (i = 0; i < 8; i++) {
>>     chal->challenge[i] = r;
>>     r = (r>> 2) ^ r;
>>     }
>>
>>     hash = r;
>> }
>>
>>
>> any idea?
> 
> First idea is that you should be sending code issues to squid-dev where we
> who fix the code hang out.
> 
> Secondly, what exactly did you change to make it work? diff patch is
> required please along with the info as to what version of squid it is made
> from.
> 
> Thirdly, note that NTLMv2 is not really NTLM any more. The fakeauth helper
> needs to handle both these days. Either with command line switches to
> configure the auth type in use or automatic sensing.
> see http://en.wikipedia.org/wiki/NTLM for some details of the differences.
> If we can make this helper cope without losing the old protocol I will
> commit for you.
> 
> Thanks
> Amos
> 

_________________________________________________________________
Rediscover Hotmail®: Get e-mail storage that grows with you. 
http://windowslive.com/RediscoverHotmail?ocid=TXT_TAGLM_WL_HM_Rediscover_Storage2_042009